Just a couple of notes: In addition to Certified Information System Security Profession (CISSP) and Certified Ethical Hacker (CEH), I’ve now completed the test for Certified Hacking Forensic Investigator (CHFI). The last was probably the easiest of the three certs for three reasons: Good testing material provided by another student/friend/former coworker, experience having worked with a number of folks in the field (cube farm right next to mine, hard not to listen and observe), and having been part of an investigation long ago (on the good side).

And food for though: A USB drive that steals information, encrypts what it doesn’t, uses some unique methods to generate encryption keys, and hides itself very effectively after the fact. Story right here. Remember, Practice Safe Computing. That flash drive you found laying on the sidewalk or handed to you by a vendor may lead to bad things…

Maybe I’m not as crazy as people think… I wrote here, here, and here how interconnected and cross-linked data is on the Internet. Personal information is continually being sold, re-sold, data mined, and misued to make money.

Someone at the Atlantic suddenly had the Giant Foam Clue Bat smack them in the face, that their good buddies in the tech industries were selling them out for a few cents per person.

Hillary is in deeper trouble. As I described previously, classified data corrupts absolutely, and the FBI is now looking at State Dept. computers trying to find out how classified data made it to Hillary’s email server. More backups are being found. And it turns out that someone outed an undercover agent by name. Seriously classified stuff. How Hillary and her pals stay out of orange pantsuits is beyond me.

Something funny to think about, though I forgot where I stole it from, sorry…:

There’s a BlogShoot at 340 Defense in a couple of weeks, but I won’t be able to make it. I’m getting bariatric surgery done the day before the shoot. I’m tired of either weighing on the high side of 250+ lbs, or having a terribly restricted diet just to maintain 240 lbs. So I’m getting the Gastric Sleeve performed, where a major portion of my stomach will be lopped-off. No resection of my small intestine like my wife had with her Roux-en-Y operation five years ago. That was a life-saver for her. I’m nowhere near as unhealthy, but want a better, more enjoyable lifestyle. And eliminate the growing problems of diabetes, high blood pressure, constantly changing wardrobe, etc. Will pass more info on that later. So think of me while y’all are out there having a real blast. I’m sorry to miss the event, for sure.

The Zombie Truck is back together but has a terrible noise. The noise happens when I’m not entirely on the throttle, but not entirely off either. Really annoying – the transmission and transfer case were both professionally rebuilt just a couple of weeks ago. I pulled the rear axle cover off, dumped the fluid, and saw no damage to the rear ring and pinion, so repackaged with new gasket and fluid. If it’s not the transfer case, then I may have a damaged axle shaft. Sigh.

Finally, I’ll be out of sorts next week. Heading out to get some learnin’ done. Training and testing for Certified Ethical Hacker. Yeah, a real oxymoron if you ever heard one. But a cert that’s sure to help my career in the long run.

So, if you promise to clean the cat litter box and take the dog out daily, I’ll make sure to stock the freezer with some chocolate-chip cookie dough ice cream. And tuna-flavored ice cream for my few Kzin friends out there.

Back-story: three years ago I created an email on an anonymiser email system. Created a strange user name to go along with it, and used that name to create a Facebook account. There’s a few things I want to do and Facebook is the only way. A 4×4 club, the local online garage sale, etc. I played for a few days, ignored the Facebook account for three years. The anonymous email account died after 90 days of inactivity.

Fast-forward to this weekend. I decided to resurrect the account to get back into the above groups and some others. I created a brand-new Apple iCloud alias to my primary email. I used the old anonymous email account and got lucky on the password. Decided to change the email address to the new Apple alias that had never been used for email. Facebook sent the new alias address the usual “respond if this is you” email, which I responded to. Logged into Facebook with the new email address, and Facebook INSISTED on a phone number to complete registration. I used my wife’s phone number, and she read me the validation SMS message which I put into Facebook. I then deleted her phone number from the account. I proceeded to tighten down all of the settings I could find, and put in absolutely no additional information. That was like three or four days ago.

Today I signed into Facebook and got a huge shock: Facebook recommended that I Friend a large number of people that I know, professionally, personally, and from my wife’s church. Almost two dozen people, some of whom I haven’t emailed or called in several years.

HOW IN THE HELL DID IT GET THAT INFORMATION!?!?!?!?

I NEVER used the alias email account except to re-activate the Facebook account, the old email account was three-years dead. The user name that I used on the Facebook account is literally junk, just enough to get by Facebook’s name filter. My wife’s phone number. I studiously log out of online services when done, so it should not be able to cross-site script. I never have my browser save passwords. I can only think of two ways: Facebook read my local computer/iCloud address book, or Facebook read my LinkedIn profile and glommed my Links from there. After more thought, it has to be LinkedIn. How, I don’t know. But somehow Facebook did it.

Bad ju-ju. The new email alias is gone, Facebook account cancelled. Can’t do much more to protect myself other than do a password scrub. I’m starting to dislike this “linked” society. And my tin-foil hat just ratcheted tighter a couple of notches. All you in the IC, you’ve got something to look into and think about.

Now you understand the title and lead on this post. “Spooky action from a distance.”

Hillary! is in deep doggy-doo. As mentioned previously, there’s classified and then there’s classified. Hillary!’s email has now been found by the Inspector General of the Intelligence Community (IG-IC) to have had at least two emails (out of the 40 that they’ve looked at so far) that are classified. Not just a little classified, but about as classified as you can get without divulging classified classifications. I won’t even put the IG-IC’s markings in this blog, I don’t want it showing up. Search for yourself. Out of 30,000 PRINTED, not electronic emails that were released to State, with another 30,o00 not released to state but conveniently deleted by Hillary! and Co.

So again, how do you get this level of information on an Unclassified system? Type it in by hand, get it via sneaker-net (CD/DVD/flash drive), or have a live network connection. Any one of these methods now means that the entire system, the contents of the system, all of the phones and computers that received email and documents from that system, should now be considered contaminated with classified information. Two words that chill any security-cleared FSO/PSO/CPSO/GSSO/IT/IA person’s bones: Data Spill. Or another two words: System Contamination.

Who’s going to have the cajones to recall every single computer/phone/tablet/CD/DVD/tape that was generated from this machine? And who will be responsible for the “dirty word search” that must be performed. And these pieces of hardware destroyed IAW NSA/CSS Policy Manual 9-12 ? Where will all of these systems be stored (and it will have to be classified to the max possible)? Not to mention all of the Inadvertent Disclosure statements?

The mind reels at the mass stupidity that was perpetrated by Hillary! and Co.

If you weren’t affected by the MyFriendFinder hack noted here, but have instead been using Ashley Madison to make your hookups, you’re still screwed, and not in a good way. It appears that AM is now being blackmailed – either shut down or the account information for your 37 million members will be released to the public.

Used to be you were warned to practice safe sex. Now you have to practice safe computing too.

UPDATE: According to this report, OPM has also lost our fingerprints. So much for two-factor authentication where fingerprints are used. iPhones, laptops, entry control systems that use fingerprints are now null-and-void. Just a little gelatin and you can make a molded fingerprint that will fool a large number of security systems.

Well, the OPM hack has gotten even bigger. The formerly classified information regarding volume and type of information that was stolen was finally released today. Over 21 million people’s personal information was stolen. Social Security Numbers, convictions, family members, acquaintances, prior employees, prior residences, financial information, but even better, your passwords into eQIP. Hope you don’t use the same password everywhere…

My organization is going through a reaccreditation with a DoD component. It’s not easy, and we don’t have near the amount of equipment or size that OPM has. It’s entirely ridiculous to think that they have made even a passing attempt at meeting regulations, and it shows.

Well, all of a sudden our Lawmakers discovered that their information is not as well protected as they thought and they’re demanding Immediate Action. Which contravenes what our Intel community wants, which is weakened encryption “to save the chillins'”. Guess what, you can’t have both!

Found here: OPM Hack Hearings – all of a sudden, system security is a priority. Encryption of personal data, officially known as PII, Personally Identifiable Information, is now a priority. Use of two-factor authentication (CAC/PIV and PIN) is a priority.

Guess what Twinkletoes – These were Federal priorities ten years ago and now you’re ten years late to the game. The horse has escaped the barn. This is a dead parrot. You significantly failed to meet Federal guidelines and requirements and have failed to secure something under 20 million people’s personal data. But it gets better (This is repetative for those who have done an SF-86 and EQIP): An SF-86 requires three personal references, not work related, with phone and address. Each employment history listed must have your supervisor and their phone number at a minimum. And each home that you lived at must have a reference person. All for the last ten years minimum, some clearances require longer histories. Do the math to figure out how many people are listed on my SF-86. Something like a dozen people, some with their own clearance, some without. Oh, and your parents, to include their socials, addresses, and phones (if they’re still alive, heh), siblings, spouse, spouse’s family info, foreign relatives, foreign business and banking accounts, etc. Multiply that by 20 million leaked names, then build the network of relationships. 20 million people is around 15% of the US population (roughly 300 mil)? Add a dozen contacts, another two to four family members? You’ve now captured something on the rough order of 30-40% of the US population’s personal information?

Then you piece together and diagram the relations of what you work on, where’ you’ve worked, the relationships with others who have worked in the same organizations, when you got your clearance, what the level of your clearance was, and you can figure out what type of work you have done for the most of your work history.

OK, lots of electrons have been executed in writing about the hack at the OPM/Department of the Interior (DoI). Now the Department of State (DoS, get it? Denial of Service) has shut down overseas passport and visa services. The follow are some background thoughts on the issue from a long-time system administrator, information assurance officer/manager, and security control assessor.

Second, between 2010 and 2013, their Federal Information Security Management Act score fell from nearly 80% to just over 50%. (Department of State poor cybersecurity). In 2014, the DoS fell to 42%, in spite of a doubling of their Office of Information Assurance budget from $7 million to $14 million (dollar amount from above link, 2014 FISMA score from the FY2014 FISMA report). Even though DoS spent $114 million in Cybersecurity in 2014. (again the 2014 FISMA report). So, DoS was rapidly failing to maintain their security posture, even spending a bunch of money. Bear in mind, Cybersecurity and Information Assurance are two different fields. Comment if you want an explanation…

Third, Hillary Clinton, former Secretary of State at the Department of State, had her own personal email server. Well known fact, I’m not going to provide links for this. But nobody has seen this server, knows what software or hardware hosted the system, what security measures were put in place on the machine or its network. And Hillary refuses to provide information other than what SHE is willing to provide. Golly-gee. Think that someone could have hacked that system? And maybe spoofed an email or email attachment from that system to someone who, let’s say, has a real DoS email, or maybe White House email account? Maybe that’s how this happened: Hackers breach White House Unclassified systems. So, DoS had an extended connection via email to Hillary’s email server. And maybe not that extended, depending on how it was configured to share data between the server and DoS’s email servers. It’s called Send Connectors and Receive Connectors. This tells Exchange how to send and receive mail with another mail server. Connectors can send/receive from clients, Internet Service Providers, and other Exchange servers (think DoS servers).

As an aside, here’s something interesting that was added to Exchange Server 2010 (came out in 2009):

Recoverable Items: The compliance and legal search features have been enhanced. What was formerly known as the “Dumpster” in previous versions of Exchange (a special storage area for messages which have been deleted from the Deleted Items folder or “permanently deleted” from a regular folder, such as the Inbox) has been evolved into the Recoverable Items folder in Exchange Server 2010. If configured appropriately, the Recoverable Items folder allows for a “tamper proof” storage area (users cannot circumvent the Recoverable Items folder to bypass legal discovery), which also provides a revision history of any modified items.

Gosh. If Hillary was running Exchange Server 2010, maybe that’s why she didn’t want to hand it over. Or maybe Lois Lerner’s IRS email may be more recoverable than they’re telling us?

Fourth, when Yemen was taken over earlier this year, the embassy un-assed their facility rather quickly. But lacking direction, and as a precaution, left their OpenNet system operational, with data and network connectivity. OBTW, OpenNet is used for visas and passports. It took three days for the DoS to remotely wipe the sensitive information from the system. But no word if the system itself was sanitized, or what happened to that network connection itself. It’s not easy to remotely scrub a Windows system. Severing a network connection isn’t hard if properly configured, but it still leaves access to the system itself, and provides all of the information necessary to evaluate the security measures on that system. And if the drive is pulled, it can be forensically recovered, if the level of data wiping is insufficient. Remember, a better wipe of a system takes longer. Large drives and seven-time overwrite can take hours to days. One-time overwrite is junk if you have the right equipment. (Sensitive information left on US Embassy systems in Yemen following pullout)

Fifth, in spite of requirements for strong authentication procedures, read PIV or CAC card or equivalent, both DoS and OPM ten years later still do not use PIV or CAC, just username/password combinations. Also found in the FISMA 2014 report. There’s lots more in the report that’s pretty disgusting to an IA professional, especially one who’s had to do inspections on contractors and agencies.

Sixth, the same FISMA report shows that DoS and OPM do not scan remote connections for malware. So just plug in your virus-laden computer from home/travel/Internet cafe, who cares…

Finally, Hillary used various mobile devices to connect to her mail. More than one, though it was a challenge for her to manage just that one reportedly. Which means that there were more holes opened in her email server and any protective firewalls, spam filters, packet analysis systems, etc. Blackberry devices, in case you didn’t know, use Canadian servers to manage the devices and data flow, and require internal servers to manage the connection from Exchange, to Blackberry, to Blackberry (Canada) services, to Blackberry device. IOS and Android devices require even more connectivity to support email from Exchange, via Blackberry services or directly from Exchange. If the German Chancellor’s phone (a Blackberry) was hacked (Angela Merkel’s phone hacked), why couldn’t Hillary’s phone be hacked. WAIT, IT WAS. Well, sort of. Her call was recorded and not deleted. At least, that’s what Germany’s Bundesnachrichtendienst (BND) reportedly did, sometime between Merkel’s hack and the time Hillary left the DoS (Hillary’s phone hacked by German BND). Didn’t hear about that one, didja?

The problem? It appears that nobody at the DoS gives a flying fsck about system and data security. This includes implementing the security, documenting the security measures, evaluating the security posture, and maintaining those measures. Systemic failure.

The solution? Shut the system down. Blackball the IT and IA personnel, both government and contractor. Blackball the contracting companies that support the system. Make an example of them. Personally, I think that proper Roman-style decimation wouldn’t be too extreme. Maybe then someone will wake up, pay attention, and give a hoot.

Unfortunately, it’s too late. Not only has the DoS been hacked massively, OPM has followed in their footsteps, both in failing to meet cybersecurity (FISMA) standards and in successfully losing our information.

(Gack. The FISMA 2014 report is a post of its own. Fail of massive proportions.)

Word to all those sexual deviants out there with an Adult FriendFinder (no, I’m NOT going to link that one) account: You’ve been hacked. According to TFA (The Fine Article) here – CNN Article on Adult FriendFinder Hack, approximately 5% (3.5 million out of 64 million) have had nearly all of the personal information stolen. Lucky for them, their credit cards weren’t taken. Unlucky for them, their sexual preferences that they put into the service WAS stolen, along with usernames, email addresses, birthdays, zip codes and passwords.

Just think of how many new victims of bribery and blackmail there are…

Understand, when you hand over information, you are now trusting the recipient to properly safeguard it for you. Medical information, tax information, credit information, you name it. Even the intelligent electric meters in your home leak information over time when collected and analyzed.

What to do, other than closing accounts (your info is still in their hands)? Just don’t do it. That’s one reason I waited so long to even start a blog, and I HATE having to do health insurance online, see previous posts. Otherwise? I dunno. Ask BorePatch

The company that I work for provides health insurance. Not a bad policy, but as health insurance goes, getting more and more expensive every day. One of the “benefits” of said policy is the Wellness Program. Your incentive to make use of the Program is that the insurance company will not charge you an additional $300 per year. Some incentive.

So I go to the Wellness Program web site. Create an account, sign in, fill in some information that is supposed to be normalized with everyone else’s information. That’s the easy part. The harder part is getting lab work done. Wife and I live a ways out of the big cities of the East Coast. Which means labs are a little harder to find, especially when they must belong to a specific service/chain. Alternative is to create an account with that specific service and get previous lab test results to send to the Wellness company.

To create an account with the lab company, you must use Microsoft’s HealthVault service, which means using something to get into HealthVault. Either a Microsoft Live/Outlook Online account, or OpenID, or FaceBook. Never had M$ account, don’t play FaceBook, leaving OpenID. Supposedly if you have WordPress.com, you can use OpenID to authenticate into HealthVault. No-go, Microsoft won’t play with WordPress to accept authentication. So I grin and bear it, and create a Live ID. Easy enough. Then go back to the Lab company’s site and use the Live ID to log into the Lab site. Which then insists on asking me some questions to verify my identify.

Here’s where it gets creepy…

The Lab company’s website asked multi-choice questions to include 1) Which of the following streets have I NOT lived on, 2) What is the year of our RV (by chassis manufacturer’s model name, not RV name), 3) What cities have I NOT lived in, 4) What cars have I NOT owned.

Somewhere, somehow, the Lab company’s site is linking into several other databases to verify specifically who I am. Not by SSN either, it only asked for the last 4 of that. Databases could have included vehicle registration of multiple states and property tax/home ownership of several states. And this is just so I can see the online results of my lab work, which isn’t current enough for the Wellness program…

So if they’re connecting to so many databases, who’s managing, orchestrating, and overseeing these links and requests for information. And how different is this from what HealthCare.gov and its subsidiary state O-Care sites inter-link?

Now that folks are using the Obamacare website or their State equivalent, more “good” news: the health care companies that are being trusted with more and more information are as bad or worse for their security. Ponemon Institute did a recent study (Ponemon Institute study on health care companies security) and found that half (yes, HALF) of them have been victims of deliberate attacks to steal information, and in the last two years 9 out of 10 reported security breaches.

So let’s sum up this little lesson in Information Assurance (IA): If you do not bake security into your system from the start, you are playing a losing game, and your customers will be the losers. You, the company, have insurance to cover such a loss and various laws to protect you. But your customers (you, me, your parents and kids) will suffer.

Found here a couple of days ago: Infusion pump fail on slashdot.org. Basically, a very common medical device manufacturer totally FAILED at implementing security in their infusion pumps, and have had DHS posting critical failures on their networked software that drives the pumps and other devices. The lack of security controls in the pump would allow compromise of the pump within only a few minutes or less, and that compromise could be used to leapfrog and take over the hospital’s wireless Critical Devices network. RTFA article for more links to the investigators site and more info.

Pump has an Ethernet port. Plug a computer in, fire up telnet, read the files on the pump, alter settings, get the WiFi network access codes, take over the hospital network. Just because it’s too hard to put passwords, secure protocols, and physical protective measures in place .

And that’s why I don’t want to have a thing to do with “The Internet of Things”.